Mike Cardwell wrote:
Marc Perkel wrote:
Yes - but I think what he's saying is that you have to start with a
list of bank domains, the test those domains with higher scrutiny.
Does such a list exist? One of my users was getting a lot of spam
pretending to be from banks. I ended up just compiling a regular
expression to match against the from header of the emails:
@([-a-zA-Z0-9\.]+[-\.])?(rbs|barclays|halifax|secure-halifax|hsbc|natwest|nationwide|northernbank|cbonline|ybonline|co-operativebank|bank-of-ireland|bankofengland|lloydstsb|bankofscotland|firstdirect|alliance-leicester|abbeynational|egg|new\.egg|woolwich|firsttrustbank|ulsterbank|citibank|icicibank)\.(com|co\.uk)
It's far from comprehensive obviously, but it covers most of what he was
receiving.
If that regular expression matches, and the connecting host is in a list
of what I refer to as "dodgy countries," then I reject the email.
Yes, that's the type of thing I was thinking of Mike.
I was thinking it might be easier to maintain as a plugin with a
separate bank-domains.cf file listing banking type domains as Henrik has
done for freemail, and then query a FROM_BANK type rule.
My thinking is that combined as a meta with a few simple
keywords/phrases (eg, alert, security, account suspended etc) it might
make a very effective rule against bank phish.
Heck, I've almost considered automatically quarantining *all* mail
claiming to be FROM a bank domain and manually reinjecting those very
rare legitimate examples I see on my server.
